Tres Seaver wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
> Martin Aspeli wrote:
>> I've not done this yet:
>>> 3) Change the Permission class in AccessControl so that it tries to
>>> look up an IPermission utility and use the title of that utility as the
>>> permission name, falling back on the current behaviour of using the
>>> passed permission name directly.
>> I'd like to solicit a bit more input before attempting this, as I got at
>> least one -1.
>> I think this is the bigger win, though, and I'd still like to do it
>> unless performance becomes prohibitive or it turns out to be too
>> invasive a change.
> - -1: I think both of those will be true. I also don't see much win.
> The major goal should be to unify the API for add-ons, rather than the
> implementation: your #1 and #2 alaready did that, I think.
I had a deeper look last night, and I think this would be more invasive
than I'd feared. I thought originally the Permission class was used
everywhere, but on further inspection, I see that manually constructed
'_Permission' strings are used in a lot of places, including C code.
It frightens me slightly that, having pdb'd my way through AccessControl
a number of times, I still have only a fuzzy idea about how the
permissions system works, and I haven't found any solid documentation
with the code.
I think to unify the API, we'd need to:
- Promote the zope.security checkPermission method like Hanno suggested
- Change rolemap.xml in GenericSetup to accept Zope 2 names
- Look at other places where permission names are passed around in
code (there are a few places in Plone, for instance) and make sure we
always prefer the Zope 3 dotted name.
Author of `Professional Plone Development`, a book for developers who
want to work with Plone. See http://martinaspeli.net/plone-book
Zope-Dev maillist - Zope-Dev@zope.org
** No cross posts or HTML encoding! **
(Related lists -